1.
[Application Control]
The execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets are:
2.
[Application Control]
Application control is implemented on:
3.
[Application Control]
Allowed and blocked executions on workstations:
4.
[Application Control]
Microsoft’s ‘recommended block rules’ are implemented
5.
[Application Control]
Microsoft’s ‘recommended driver block rules’ are implemented.
6.
[Application Control]
Application control rulesets are validated on an annual or on defined schedule period.
1 out of 8
7.
[Patch Applications]
Patches, updates or vendor mitigations for security vulnerabilities in internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists: (i.e. LOB Applications i.e. CRM, Accouting software, etc.)
8.
[Patch Applications]
Patches, updates or vendor mitigations for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are: (i.e. Word, Excel, PowerPoint, PDF editor, Chrome or other web browsers, etc.)
9.
[Patch Applications]
Patches, updates or vendor mitigations for security vulnerabilities in other applications are applied within one month.
10.
[Patch Applications]
A vulnerability scanner is used daily to identify missing patches or updates for security vulnerabilities in internet-facing services.
11.
[Patch Applications]
A vulnerability scanner is used to identify missing patches or updates for security vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products
12.
[Patch Applications]
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for security vulnerabilities in other applications.
13.
[Patch Applications]
Internet-facing services, office productivity suites, web browsers and extensions, email clients, PDF software, Adobe Flash Player, and security products that vendors no longer support are removed.
2 out of 8
14.
[Configure Microsoft Office Macro Settings]
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement.
15.
[Configure Microsoft Office Macro Settings]
Microsoft Office macros in files originating from the internet are:
16.
[Configure Microsoft Office Macro Settings]
Microsoft Office macro antivirus scanning is enabled.
17.
[Configure Microsoft Office Macro Settings]
Microsoft Office macro security settings:
18.
[Configure Microsoft Office Macro Settings]
Microsoft Office macros are blocked from making API calls.
19.
[Configure Microsoft Office Macro Settings]
Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location, or digitally signed by a trusted publisher are allowed to execute.
20.
[Configure Microsoft Office Macro Settings]
Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations
21.
[Configure Microsoft Office Macro Settings]
Microsoft Office macros digitally signed by an untrusted publisher:
22.
[Configure Microsoft Office Macro Settings]
Microsoft Office’s list of trusted publishers is validated on an annual or more frequent basis.
23.
[Configure Microsoft Office Macro Settings]
Allowed and blocked Microsoft Office macro executions are:
3 out of 8
24.
[User Application Hardening]
Web browsers:
25.
[User Application Hardening]
Web browsers do not process web advertisements from the internet.
26.
[User Application Hardening]
Internet Explorer 11:
27.
[User Application Hardening]
Web browser security settings:
28.
[User Application Hardening]
Microsoft Office is blocked from creating child processes
29.
[User Application Hardening]
Microsoft Office is blocked from creating executable content.
30.
[User Application Hardening]
Microsoft Office is blocked from injecting code into other processes.
31.
[User Application Hardening]
Microsoft Office is configured to prevent the activation of OLE packages.
32.
[User Application Hardening]
PDF software is blocked from creating child processes.
33.
[User Application Hardening]
ACSC or vendor hardening guidance for web browsers, Microsoft Office, and PDF software is implemented.
34.
[User Application Hardening]
Blocked PowerShell script executions:
35.
[User Application Hardening]
.NET Framework 3.5 (including .NET 2.0 and 3.0) is disabled or removed.
36.
[User Application Hardening]
Windows PowerShell 2.0 is disabled or removed.
37.
[User Application Hardening]
PowerShell is configured to use Constrained Language Mode.
4 out of 8
38.
[Restrict Administrative Privileges]
Requests for privileged access to systems and applications are validated when first requested:
39.
[Restrict Administrative Privileges]
Privileged access to systems and applications is automatically disabled after 12 months unless revalidated.
40.
[Restrict Administrative Privileges]
Privileged access to systems and applications is automatically disabled after 45 days of inactivity.
41.
[Restrict Administrative Privileges]
.Privileged access to systems and applications is limited to only what is required for users and services to undertake their duties
42.
[Restrict Administrative Privileges]
Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services.
43.
[Restrict Administrative Privileges]
Privileged users use separate privileged and unprivileged operating environments.
44.
[Restrict Administrative Privileges]
Privileged operating environments:
45.
[Restrict Administrative Privileges]
Unprivileged accounts cannot log on to privileged operating environment.
46.
[Restrict Administrative Privileges]
Privileged accounts (excluding local administrator accounts) cannot log on to unprivileged operating environments.
47.
[Restrict Administrative Privileges]
Just-in-time administration is used for administering systems and applications.
48.
[Restrict Administrative Privileges]
Administrative activities are conducted through jump servers.
49.
[Restrict Administrative Privileges]
Credentials for local administrator accounts and service accounts are unique, unpredictable and managed.
50.
[Restrict Administrative Privileges]
Windows Defender Credential Guard and Windows Defender Remote Credential Guard are enabled.
51.
[Restrict Administrative Privileges]
Use of privileged access is:
52.
[Restrict Administrative Privileges]
Changes to privileged accounts and groups are:
5 out of 8
53.
[Patch Operating Systems]
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.
54.
[Patch Operating Systems]
Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are:
55.
[Patch Operating Systems]
A vulnerability scanner is used at least daily to identify missing patches for security vulnerabilities in operating systems of internet-facing services.
56.
[Patch Operating Systems]
A vulnerability scanner is used to identify missing patches for security vulnerabilities in operating systems of workstations, servers and network devices:
57.
[Patch Operating Systems]
The latest release (or the previous release) of operating systems are used for workstations, servers and network devices.
58.
[Patch Operating Systems]
Operating systems that vendors no longer support are replaced.
6 out of 8
59.
[Multi-factor authentication/2Factor authentication(2FA)]
Your organisation’s users use Multi-factor authentication/2FA if they authenticate to their organisation’s internet-facing services.
60.
[Multi-factor authentication/2Factor authentication(2FA)]
Your organisation’s users use Multi-factor authentication/2FA if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s sensitive data.
61.
[Multi-factor authentication/2Factor authentication(2FA)]
Your organisation’s users use Multi-factor authentication/2FA (where available) if they authenticate to third-party internet-facing services that process, store or communicate their organisation’s non-sensitive data.
62.
[Multi-factor authentication/2Factor authentication(2FA)]
Multi-factor authentication/2FA is enabled by default for non-organisational users (but users can opt out) if they authenticate to an organisation’s internet-facing services.
63.
[Multi-factor authentication/2Factor authentication(2FA)]
Multi-factor authentication/2FA is used to authenticate privileged users of systems.
64.
[Multi-factor authentication/2Factor authentication(2FA)]
Multi-factor authentication/2FA uses:
65.
[Multi-factor authentication/2Factor authentication(2FA)]
Successful and unsuccessful multi-factor authentications/2Factor authentications:
7 out of 8
66.
[Regular Backups]
Backups of critical data, software and configuration settings are performed and retained in a coordinated and resilient manner per business continuity requirements.
67.
[Regular Backups]
Restoration of systems, software and essential data from backups is tested in a coordinated manner as part of disaster recovery exercises.
68.
[Regular Backups]
Unprivileged accounts:
69.
[Regular Backups]
Unprivileged accounts:
8 out of 8
